A little encouragement with Kerberos for NFS

Andrew B. Young andrew at an3e.org
Mon Jul 10 12:57:27 EDT 2006 

Kevin,

Thanks for you help.  As you suggested I am posting this follow-up to 
nfsv4 at linux-nfs.org following my original post to kerberos at mit.edu.

Proceeding with your instructions I now have what is shown below.  Note 
that unlike my prior post I have included a tail of the NFS/KDC (the 
same) server's /var/log/messages, which I now see also has a relevant entry.

One other note:  After rebooting the server, changing /etc/exports, and 
re-exporting I received the cryptic message below.  This was executed 
before starting the NSF services.  I started the services and repeated 
the command without incident.
  [root at ns3 ~]# exportfs -a
  gss/krb5:/var/lib/music: Cannot allocate memory


Thanks!
Andrew

ns3: KDC and NFS server, FC5
ns2: NFS client, FC5

[root at ns3 ~]# exportfs -v  # Switched from krb5p to krb5
/var/lib/music  gss/krb5(ro,wdelay,root_squash)

[root at ns2 ~]# /sbin/service rpcgssd (re-)start  # following -vvv in 
OPTION of init script
/var/log/messages--
Jul 10 09:30:01 ns2 rpc.gssd[29375]: Using keytab file '/etc/krb5.keytab'
Jul 10 09:30:01 ns2 rpc.gssd[29375]: Processing keytab entry for 
principal 'nfs/ns2.an3e.org at AN3E.ORG'
Jul 10 09:30:01 ns2 rpc.gssd[29375]: We will use this entry 
(nfs/ns2.an3e.org at AN3E.ORG)
Jul 10 09:30:01 ns2 rpc.gssd[29375]: Processing keytab entry for 
principal 'root/ns2.an3e.org at AN3E.ORG'
Jul 10 09:30:01 ns2 rpc.gssd[29375]: We will NOT use this entry 
(root/ns2.an3e.org at AN3E.ORG)
Jul 10 09:30:01 ns2 rpc.gssd[29375]: Processing keytab entry for 
principal 'host/ns2.an3e.org at AN3E.ORG'
Jul 10 09:30:01 ns2 rpc.gssd[29375]: We will NOT use this entry 
(host/ns2.an3e.org at AN3E.ORG)
Jul 10 09:30:01 ns2 rpc.gssd[29375]: Using (machine) credentials cache: 
'FILE:/tmp/krb5cc_machine_AN3E.ORG'


[root at ns2 ~]# mount -t nfs4 -o ro,sec=krb5 ns3.an3e.org:/var/lib/music 
/mnt/ns3/music #now sec=krb5
mount: cannot mount block device ns3.an3e.org:/var/lib/music read-only
/var/log/message--
Jul 10 09:31:02 ns2 rpc.gssd[29375]: handling krb5 upcall
Jul 10 09:31:02 ns2 rpc.gssd[29375]: Using keytab file '/etc/krb5.keytab'
Jul 10 09:31:02 ns2 rpc.gssd[29375]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_AN3E.ORG' are good until 1152635401
Jul 10 09:31:02 ns2 rpc.gssd[29375]: using 
FILE:/tmp/krb5cc_machine_AN3E.ORG as credentials cache for machine creds
Jul 10 09:31:02 ns2 rpc.gssd[29375]: using environment variable to 
select krb5 ccache FILE:/tmp/krb5cc_machine_AN3E.ORG
Jul 10 09:31:02 ns2 rpc.gssd[29375]: creating context using euid 0 
(save_uid 0)
Jul 10 09:31:02 ns2 rpc.gssd[29375]: creating tcp client for server 
ns3.an3e.org
Jul 10 09:31:02 ns2 rpc.gssd[29375]: creating context with server 
nfs at ns3.an3e.org
Jul 10 09:31:02 ns2 rpc.gssd[29375]: WARNING: Failed to create krb5 
context for user with uid 0 for server ns3.an3e.org
Jul 10 09:31:02 ns2 rpc.gssd[29375]: WARNING: Failed to create krb5 
context for user with uid 0 with credentials cache 
FILE:/tmp/krb5cc_machine_AN3E.ORG for server ns3.an3e.org
Jul 10 09:31:02 ns2 rpc.gssd[29375]: WARNING: Failed to create krb5 
context for user with uid 0 with any credentials cache for server 
ns3.an3e.org
Jul 10 09:31:02 ns2 rpc.gssd[29375]: doing error downcall
Jul 10 09:31:03 ns2 rpc.gssd[29375]: destroying client clnt7

[root at ns3 log]# tail -f krb5kdc.log
Jul 10 09:31:02 ns3.an3e.org krb5kdc[1802](info): TGS_REQ (1 etypes {1}) 
64.165.113.66: ISSUE: authtime 1152549001, etypes {rep=16 tkt=1 ses=1}, 
nfs/ns2.an3e.org at AN3E.ORG for nfs/ns3.an3e.org at AN3E.ORG
Jul 10 09:31:02 ns3.an3e.org krb5kdc[1802](info): TGS_REQ (1 etypes {1}) 
64.165.113.66: ISSUE: authtime 1152549001, etypes {rep=16 tkt=1 ses=1}, 
nfs/ns2.an3e.org at AN3E.ORG for nfs/ns3.an3e.org at AN3E.ORG

[root at ns3 log]# tail messages
...
Jul 10 09:41:04 ns3 rpc.svcgssd[10950]: WARNING: get_ids: unable to map 
name 'nfs/ns2.an3e.org at AN3E.ORG' to a uid
...


-------------- next part --------------
An embedded message was scrubbed...
From: Kevin Coffman <kwc at citi.umich.edu>
Subject: Re: A little encouragement with Kerberos for NFS
Date: Sun, 09 Jul 2006 11:05:15 -0400
Size: 4439
Url: http://linux-nfs.org/pipermail/nfsv4/attachments/20060710/a1d74259/AlittleencouragementwithKerberosforNFS.eml

More information about the NFSv4 mailing list